August 2017: The Month in Ransomware

Although the ransomware industry has resumed growth after July’s decline, nothing game-changing happened in the online extortion ecosystem last month. There was an influx of new GlobeImposter ransomware variants and real-life spinoffs of the Hidden Tear proof-of-concept. The Locky strain geared up for another rise with its Lukitus persona. And a sample dubbed Defray targeted large organizations in the United States and UK. Overall, 50 new ransomware samples and 43 derivatives of existing strands were discovered in August.

AUGUST 1, 2017

US company trying to get off the Petya hook

Merck, one of the world’s largest pharmaceutical companies, admits to having serious issues recovering from the Petya, or NotPetya, an attack that took place in late June. According to the official report, the compromise affected Merck’s manufacturing, packaging, and formulation operations.

RSA2048Pro ransomware encrypts data selectively

A new crypto virus called RSA2048Pro is coded in C#. Although it appears to be fairly commonplace at first sight, a unique approach to handling a victim’s files makes it stand out from the crowd. It leverages a time filter to first encrypt newer files written in the past three months.

The half-baked SevenDays ransomware

This one got its name from the extension it concatenates to encrypted files. The odd thing, though, is that the contents of its ransom note don’t make sense. It’s just an iterative sequence of “SEVENDAYS” without spaces in between. Obviously, the crooks don’t seek any profit and may be fooling around this way.

TPS 1.0 ransomware

The sample called TPS 1.0 is a combo of classic ransomware and a screen locker. It displays a WannaCry-style warning screen. Its development appears to be still in progress, so it doesn’t encrypt any data at this point.

GlobeImposter switches to new file extension

The latest GlobeImposter ransomware release appends the .726 extension to encrypted files. It drops a rescue note named RECOVER-FILES-726.html. Previously, we saw a tiny wave of the .725 variant.

FileCryptor ransomware handles filenames like no other

A new specimen called FileCryptor, also referred to as Blackzd or Blackout, does not concatenate any extensions to hostage data items. Instead, it replaces original filenames with strings of random 16 hexadecimal characters.

AUGUST 2, 2017

LockBox ransomware spotted

The strain in question uses the .trevinomason1@mail.com.vsunit suffix to blemish hostage data. It instructs victims to send three encrypted files, each one under 2 MB in size, to trevinomason1@mail.com or salvatoreolsond598d@gmail.com.

Crystal strain packs a three-in-one punch

A Fresh sample called the Crystal ransomware is a fusion of three malicious entities, namely a virus downloader, a DDoS component, and a crypto module that deploys the extortion proper.

RobinHood ransomware with political flavor

The warning screen generated by this specimen is titled “Help Yemen”, condemns the politics of Saudi Arabia, and instructs victims to “pay five Bitcoins to help Yemeni people.” It provides a 72-hour deadline to submit the ransom.

WannaPay ransomware being developed

Having debugged the code of the in-dev WannaPay baddie, researchers got some clues regarding the author’s name. It currently uses a hardcoded path C:\Users\DORA to store the recovery how-to manual and cryptographic information.

EbayWall ransomware tells you a story

This infection propagates via booby-trapped Kijiji emails, demands a whopping $9 million worth of Monero, stains encrypted files with the .ebay string, and adds a rescue note called ebay-msg.html. The latter reads, “Many of your files were locked because of gross negligence” and contains a story about some coder’s project being taken over by a metaphoric monkey, whatever that should mean.

The latest iteration of the GlobeImposter ransomware switches to appending the .sea extension to victims’ files and provides ransom instructions in a document named “!your_files!.html”. No other noteworthy changes have been made.

AUGUST 4, 2017

Cerber extends its malicious reach

A fresh edition of the Cerber strain gets equipped with extra features beyond extortion alone. It can now pilfer browser passwords and data related to cryptocurrency wallets, effectively turning into a hybrid of ransomware and spyware.

Shutdown57 ransomware released

This primitive-looking threat stains encrypted data with the .shutdown57 extension and provides payment instructions in a file named shutdown57.php. Victims are coerced into contacting the attacker via greenvirus707@gmail.com.

Yet another tweak of GlobeImposter

One more variant of the GlobeImposter blackmail Trojan affixes the .490 string to every encrypted file. The ransom note is named free_files!.html.

Oxar ransomware gets a new GUI

This spinoff of the Hidden Tear PoC originally popped up in mid-July. Like before, it still labels hostage files with the .OXR extension and drops Instructions.txt ransom how-to. What has changed, though, is the File Decryptor window that got a new look and feel. Strangely enough, it only demands $3 worth of Bitcoin for decryption, so this may be a test run of the updated ransomware.

AUGUST 5, 2017

3301 ransomware based on Karmen RaaS

A ransomware toolkit called Karmen popped up on Russian dark web resources in April 2017. Later on, it was renamed to Mordor, and now it manifests itself as the 3301 ransomware. The updated infection concatenates the .3301 extension to locked files.

AUGUST 6, 2017

GlobeImposter continues to evolve

A brand-new iteration of the GlobeImposter ransomware appears in the wild. It blemishes skewed files with the .mtk118 extension and drops how_to_back_files.html ransom note.

Polski ransomware spotted

As the name prompts, this strain zeroes in on Polish-speaking users. The external indicators of compromise include the .ZABLOKOWANE file extension and rescue note named ### – ODZYSKAJ SWOJE DANE – ###.txt.

Balbaz ransomware in a nutshell

A new sample called Balbaz subjoins the .WAmarlocked extension to encrypted files and provides recovery-through-payment steps in a manual named READ_IT.txt.

UEFI ransomware being created

Cybersecurity analysts come across the UEFI ransomware specimen whose development is still in progress. While the encryption module has yet to be added to its malicious toolset, it already replaces the original wallpaper with one that asks for $350 worth of Bitcoin and includes a reference to Decrypt.txt rescue note.

AUGUST 7, 2017

TPS Ransomware renamed

The sample called TPS was discovered on August 1 while still in development. It did not encrypt any data back then. The devs appear to have now added a crypto module to the infection. Another change is that the updated build manifests itself as Why-Cry.

CryptoMix using the .OGONIA extension

A fresh variant of the prolific CryptoMix ransomware switches to using the .OGONIA suffix for hostage files. The ransom note is named _HELP_INSTRUCTION.txt.

One more CryptoMix edition at large

Yet another sample from the CryptoMix lineage surfaces. It uses the new .CNC extension to stain encrypted files while still dropping the _HELP_INSTRUCTION.txt ransom how-to.

GlobeImposter version attacking Russian users

The new iteration of the GlobeImposter ransomware goes with clear-cut OS localization restrictions, zeroing in on computers with Russian language pack installed. This one concatenates the .crypt string to skewed data and uses the following contact emails: alfatozulu@mail.ru and alfatozulu@tutanota.com.

Another GlobeImposter build pops up

The GlobeImposter family gets bigger as a fresh version goes live. The newcomer affixes the .coded extension to locked files and instructs victims to send a message to decoder_master@aol.com or decoder_master@india.com for recovery steps. The rescue note is how_to_back_files.html.

GlobeImposter tries to reach the stars with another edition

A new variant adds the .astra extension to ransomed files and provides a recovery walkthrough named here_your_files!.html.

GlobeImposter authors stay restless

These crooks are releasing an unthinkable number of spinoffs all the time. One more GlobeImposter persona appears that labels encrypted files with the .492 extension. It coerces victims to contact the attackers via file_free@protonmail.com or koreajoin69@tutanota.com address.

Diamond Computer Encryption sample

That’s an offbeat name for a ransom Trojan, isn’t it? This strain concatenates a random extension to encrypted data entries and uses a ransom how-to named _READ_IT_FOR_RECOVER_FILES.html. The perpetrators demand 0.1 Bitcoin (about $400) for decryption.

AUGUST 8, 2017

LOCKD ransomware spotted

The damage from the LOCKD Trojan is restricted to locking one’s screen, with no crypto being involved in the attack chain. It impersonates the FBI and accuses the victim of violating U.S. federal laws. The ‘fine’ amounts to $200. Interestingly, this ransom is payable via MoneyPak.

WanaCry4 specimen discovered

Although the name of this ransomware sure sounds familiar to everyone who keeps track of cybersecurity events, it actually has nothing to do with the notorious WannaCry virus. The sample is a spinoff of CryptoWire, proof-of-concept ransomware code written in AutoIt and posted on GitHub in May 2016. WanaCry4 prepends a file’s original extension with the ‘encrypted’ string.

Xorist ransomware devs say ‘HELLO’

The latest iteration of the Xorist strain blemishes enciphered files with the .HELLO extension and drops a document named HOW TO DECRYPT FILES.txt containing steps on how to sort things out.

Another day, another GlobeImposter update

New ork appears in the GlobeImposter horde. It leaves a ransom note named Read_ME.html and concatenates the ‘..txt’ extension to encrypted files.

AUGUST 9, 2017

Tor didn’t help a sextortionist evade prosecution

U.S. authorities arrest a man on suspicion of engaging in sextortion, a felony where victims are coerced into sending photos of a sexual nature to the criminal. Although the suspect Buster Hernandez used Tor to hide his tracks, the FBI sent him a Trojanized video that, when opened, exposed his IP address and location.

Double update of the Oxar ransomware

The makers of Oxar, a sample discovered on July 10, release two new variants in one shot. The spinoffs use the .PEDO and .ULOZ file extensions and go equipped with a text-to-speech feature.

Details of the Cerber distribution campaign uncovered

Researchers from Malwarebytes Labs dissect an ongoing wave of Cerber ransomware propagation. The campaign relies on an exploit kit called Magnitude. According to the analysts’ findings, the Cerber binary is surreptitiously downloaded and executed on a computer after the victim visits a landing page with exploits.

AUGUST 10, 2017

IsraBye strain is more destructive than it appears

Politically-motivated creators of the IsraBye ransomware start a campaign that revolves around sabotage rather than extortion. The infection displays a lock screen saying, “You will recover your files when we recover Palestine.” Ultimately, victims lose their data for good.

GlobeImposter keeps spewing out new variants

This lineage gives rise to another edition stains encrypted files with the .rumblegoodboy extension. Go figure what that means. This sample drops how_to_back_files.html ransom note.

Globe ransomware clone discovered

As opposed to its prototype, the copycat is coded in .NET. While imitating the ransom warning used by Globe and GlobeImposter, the lookalike uses the .[cho.dambler@yandex.com] file extension and HOW_TO_BACK_FILES.html recovery manual.

Oxar strain produces more offspring

The only change made to the original Oxar ransomware in the course of the update is that the new edition appends the .FDP string to encrypted files.

AUGUST 11, 2017

Man arrested for spreading Petya.A virus

Ukrainian Cyber Police arrest a 51-year-old man as part of an investigation into the recent Petya.A ransomware outbreak. More specifically, the suspect reportedly conducted a form of follow-up attacks against local organizations. The most interesting part of this incident is that companies were being infected on purpose in order to conceal fiscal manipulations and evade taxes.

Gryphon ransomware tweak

The Gryphon ransomware, an offshoot of the BTCWare lineage, gets an update. The pest switches to using the .[gladius_rectus@aol.com ].crypton string for encrypted data – note that the extra space in the extension is deliberate. This variant drops a ransom note named HELP.txt.

AUGUST 12, 2017

Two more GlobeImposter variants

Researchers discover new spinoffs of the GlobeImposter codebase. One concatenates the .0402 string to hostage files and creates a rescue note named !SOS!.html. The other uses the .Trump extension for encrypted files.

AUGUST 14, 2017

Jigsaw version with Polish roots

Zeroing in on Polish-speaking users, this Jigsaw iteration affixes the .pabluklocker extension to ransomed data. It demands $50 worth of Bitcoin for recovery.

Shinigami ransomware spotted

The specimen called Shinigami Locker displays a Joker-style ransom note that instructs victims to pay a Bitcoin equivalent of $50. It leverages DES (Data Encryption Standard) to lock down a target’s personal files, subsequently renaming them and appending the .shinigami extension.

Hidden Tear still heavily abused by crooks

Another offshoot of the academic Hidden Tear ransomware surfaces. It blemishes encoded files with the .locked extension and instructs the victim to contact the felons via one of five email addresses: 7hfjmtg6@cock.li, TkBB6dd6@mail2tor.com, YtXjCVRU@rape.lol, qD2fXaKA@hitler.rocks, and sZSZ4LX9@mail2tor.com.

MMM ransomware pops up

This one appears to be professionally tailored as it employs three cryptosystems to deny access to a victim’s data, namely RSA, AES, and HMAC (keyed-hash message authentication code). It concatenates the .0x009d8a extension to encrypted files.

Cerber knockoff from the Xorist lineage

A new sample is detected that subjoins the .Cerber_RansomWare@qq.com suffix to every encoded file. Upon closer scrutiny, though, it turns out to have nothing to do with Cerber. It is actually a decryptable variant of the Xorist ransomware.

GlobeImposter keeps spawning derivatives

Five fresh modifications of the GlobeImposter ransomware are released. They use the following extensions to label encrypted files: .GRANNY, .LEGO, .UNLIS, .ZUZYA, and .D2550A49BF52DFC23F2C013C5.

AUGUST 15, 2017

Another GitHub repo becomes a ransomware Smithy

Open-source ransomware project uploaded to GitHub by an Indonesian hacker nicknamed Shor7cut is growing increasingly popular with crooks. This perpetrating code popped up about a year ago and was designed to infect PHP web servers. It has since spawned three PHP ransomware variants dubbed JapanLocker, Lalabitch, and more recently one called EV.

Infinite Tear baddie appears

This one can be identified by the following hallmarks: it affixes the .JezRoz string to locked files and leaves a recovery how-to document named Important_Read_Me.txt.

Null ransomware introducing null novelty

The strand in question got its name from the .null extension it appends to encrypted data. Its payload passes itself off as a PDF document.

RotoCrypt, new one on the table

Rather than drop a ransom note onto an infected host, the RotoCrypt ransomware instructs the victim to shoot a message to diligatmail7@tutanota.com for decryption steps. It concatenates the .OTR string to enciphered files.

.NET ransomware called Crypt12

Crypt12 tweaks filenames according to the following pattern: original filename and extension=id=email address.crypt12. It goes equipped with a GUI and replaces one’s desktop background with a warning image.

BRansomware is nothing out of the ordinary

A brand new sample called BRansomware concatenates the .GG string to encrypted files. Its implementation of AES crypto is buggy as it uses an incorrect block size.

AUGUST 16, 2017

SyncCrypt ransomware goes off the beaten track

The most unordinary property of the new SyncCrypt sample is the way it is distributed. The payload lurks under several layers of obfuscation. First, a malspam email with WSF attachment ends up inside one’s inbox. Once this attachment is opened, an embedded script downloads several images that, in turn, conceal ZIP files with the malicious binary and other ransomware components. Most AV tools don’t raise red flags on image files, so SyncCrypt mainly stays undetected. This strain appends the .kk extension to encoded files.

Lukitus variant of the Locky ransomware

Locky is evidently trying to get back on the heavyweight arena. Security analysts spot a massive spam campaign delivering a new edition that appends encrypted files with the .lukitus extension. The ransom notes are named lukitus.htm and lukitus.bmp.

New prankish Java-based ransomware

A fresh specimen called Clico Cryptor subjoins the .enc suffix to scrambled files. It seems to be a joke infection as it instructs victims to shout “I am the king of animals” in Polish for 15 minutes to restore files.

Samas ransomware update

The Samas, or SamSam, strain gets a facelift. Its new iteration adds the .prosperous666 string to encrypted files and provides decryption steps in a manual named PLEASE-README-AFFECTED-FILES.html.

Free decryption tool for LambdaLocker now available

Avast releases a decryptor for the LambdaLocker ransomware family. This Trojan appends the .lambda_l0cked or .MyChemicalRomance4EVER extension to hostage files.

Matroska ransomware tweak

This strand is a Hidden Tear derivative originally discovered in mid-July, 2017. Its more recent variant has switched to using the .encrypted[Payfordecrypt@protonmail.com] extension for encoded data.

AUGUST 17, 2017

Most payloads delivered via malspam are ransomware

According to statistics on the cyber threat landscape for Q2 2017, the majority of all malware payloads arriving via booby-trapped emails installed ransomware onto recipients’ computers.

Funny-looking WoodMan screen locker

The lock screen displayed by the WoodMan Trojan depicts a weird creature holding a leaf in its hand. It must have been designed by a script kiddie who goes to elementary school. All it takes to unlock it is enter ‘mm2wood.mid’ password and click a button that says, “Make my computer nice again!”

Moon Cryptor ransomware

This one threatens to delete one file per minute until the victim pays up. It appends the .fmoon extension to encrypted files.

Draco PC ransomware in development

Similarly to the above-mentioned Moon Cryptor, Draco PC puts more pressure on victims than the average strain. It claims to delete one file every hour until the user submits 5 Euros in Paysafecard. Another threat it makes is about wiping system32 folder in two days. This sample is currently in testing mode and does not apply any crypto.

Yet another GlobeImposter mod

Researchers bump into a fresh variant of the GlobeImposter ransomware. It subjoins the .{saruman7@india.com}.BRT92 string to encoded files and provides decryption steps in a ransom note named #DECRYPT_FILES#.html.

AUGUST 18, 2017

WannaCry is still alive and kicking

Three months after the global WannaCry ransomware outbreak, LG Electronics admits their self-service kiosks across South Korea have been attacked, presumably by the same perpetrating code. It’s very odd that a high-tech company like LG had left some of its IT infrastructure unpatched against this nasty ransomware for such a long time.

CryptoMix family keeps growing

A new edition of the CryptoMix ransomware is discovered. The newcomer uses the .ERROR extension to label encrypted files and drops ransom notes named _HELP_INSTRUCTION.txt.

Screen locker zeroing in on Polish users

The infection generates a BSOD-style lock screen with Polish text. Thankfully, analysts have managed to get hold of the unlock code, which is 023135223.

AUGUST 21, 2017

False accusations made by the Cyron ransomware

Warning screen displayed by the new Cyron strand states that it detected child pornography in the victim’s browser history and demands a €50 Paysafecard to settle the case. The Trojan appends encrypted files with the .CYRON extension.

Kappa ransomware hails from a known family

Researchers spot a file-encrypting malware sample called Kappa, which is a spinoff of the Hidden Tear PoC based Oxar ransomware. This iteration still concatenates the .OXR string to locked data.

Trojan Dz, a new one on the table

The Trojan Dz specimen is a derivative of CyberSplitter, a ransomware species that has been around since September 2016. The newcomer uses the .Isis extension to label encrypted files.

Unnamed edition of Oxar

One more version of the above-mentioned Oxar ransomware is spotted in the wild. Its GUI is titled “File Decryptor / Oxar”. This build continues to concatenate the .OXR extension to victims’ personal files and demands $20 worth of Bitcoin.

Someone’s got a crush on a ransomware analyst

Well-known German security researcher Karsten Hahn comes across a new Hidden Tear variant that displays a picture of him and the phrase “Hello how are you? :)” on the lock screen.

Another proof-of-educational ransomware being a bad idea

McAfee researchers reveal some recent findings on the ransomware threat landscape. According to their statistics, nearly 30% of ransomware samples discovered in June were derivatives of the Hidden Tear proof-of-concept.

AUGUST 22, 2017

Prankish gist of the Xolzsec specimen

A new offshoot of the educational EDA2 ransomware code is spotted. The author claims to be a script kiddie – at least, that’s what the Internet meme-themed warning screen says. This Trojan affixes the .xolzsec string to hostage files.

Fresh descendant of Hidden Tear detected

This time, the crooks weaponized the academic ransomware code to zero in on French users. The infection subjoins the .locked suffix to files and drops a combo or rescue notes named Tutoriel.bmp and READ_IT_FOR_UNLOCK.txt.

AUGUST 23, 2017

More ransomware incursions may break out in Ukraine

Ukrainian cybersecurity firm ISSP (Information Systems Security Partners) alerts local businesses and authorities on a possible new massive ransomware campaign similar in scope to the newsmaking NotPetya outbreak from late June. According to the company’s findings, the official website of accounting software vendor Crystal Finance Millennium has been compromised and may start serving crypto ransomware on a large scale.

FlatChestWare strain is no big deal to handle

Yet another Hidden Tear variant pops up called FlatChestWare. It displays an anime-style picture in the warning window and concatenates the .flat string to encoded data. Analysts claim it’s decryptable beyond ransom.

French users are being increasingly targeted

An umpteenth version of the Hidden Tear PoC called VideoBelle begins making the rounds. It uses the banal .locked extension to blemish files and tries to extort €150 worth of Bitcoin.

Manual analog of the Cryakl ransomware is spotted

While scouring the web for new crypto baddies, researchers bump into a counterpart of the Cryakl strain that’s operated manually. It is, effectively, an easy-to-configure encryption tool that can be used for malicious purposes.

AUGUST 24, 2017

‘Cypher’ is no longer a misspelling

New blackmail Trojan called Cypher is discovered. Written in Python, it is currently in testing mode. The pest adds the .enc extension to ransomed files.

Wooly ransomware is on its way

Security analysts spot a new .NET based sample that concatenates the .wooly string to files after encrypting them. Interestingly, it installs Tor Browser behind the scenes. This ransomware is in development at this point.

AUGUST 25, 2017

CryptoMix lineage updated

New offspring of the CryptoMix ransomware codebase surfaces. It affixes the .EMPTY extension to ciphered data and drops a rescue note named _HELP_INSTRUCTION.txt.

Android ransomware creation made easy

An unscrupulous Chinese developer cooked up a Trojan Development Kit that automates the process of creating Android ransomware. Currently promoted on dark web resources, this app allows wannabe crooks with low tech skills to make and distribute custom mobile ransom Trojans from the Lockdroid lineage.

PA-SIEM ransomware

This sample is still being developed and fine-tuned at the time of discovery. It subjoins the .PA-SIEM string to original filenames.

Crysis family expands

The new iteration of the Crysis ransomware is detected in the wild. The perpetrating program appends a victim’s files with a unique user ID followed by the .[chivas@aolonline.top].arena and also .cesar extensions.

Defray ransomware devs are picky about their targets

The strain in question isn’t in wide distribution, but its authors zero in on large organizations in the United States and UK. It is propagating via spear-phishing emails with booby-trapped Microsoft Word attachments. Defray focuses on contaminating healthcare, educational, technology, and manufacturing companies.

AUGUST 26, 2017

Hidden Tear based Ekoparty ransomware

The story of discovering this one is intricate because researchers first mistook it for an in-the-wild malicious sample. It turned out, though, that the specimen was made specifically for a demonstration of ransomware modus operandi during the Ekoparty Security Conference scheduled for late September 2017.

AUGUST 27, 2017

Blurred essence of the RansomPrank infection

A new offending program called RansomPrank shows a warning screen demanding 0.5 Bitcoin for data recovery, but it does not utilize any form or encryption at all. It’s therefore unclear what goals this one pursues.

Wooly ransomware is no longer in-dev

The recently discovered Wooly strain changes its status from testing to real-world propagation. Now it performs data encryption on a plagued computer and concatenates the .wooly extension to locked files.

AUGUST 28, 2017

Fresh BTCWare version goes live

The latest cyber-intruder from the BTCWare family stains encrypted data with the .nuclear extension preceded by an email address of a malicious affiliate that deposited the malady onto a PC. Just like its precursors, this edition is making the rounds via hacked Remote Desktop Services.

StrawHat ransomware pressures victims into paying fast

This sample appends a random extension to scrambled files and leaves recovery how-to manuals named YOUR_FILES_ARE_ENCRYPTED.txt/html. According to the ransom notes, the price depends on how fast the victim contacts the felons.

MindSystem ransomware turns out to be benign

The creator of this infection is kind enough to provide victims with a decryptor and unique key so that they can restore their data without coughing up the ransom. Furthermore, its alert screen reads, “For education only!” Well, the Internet community would be much better off without such experiments.

CryING ransomware is really dull

Made by someone who goes by online alias ‘h4xor’, this strand is nothing out of the ordinary. It crashes every so often and does not appear to append any extension to encrypted files.

Troll ransomware goes a ‘scorched-earth’ route

This one leverages XOR cipher to lock down a victim’s data. What makes it stand out from the rest is that it foolishly encrypts all types of data, including system executables, thus potentially affecting the stability of computer performance.

IRS-themed ransomware campaign underway

The US Internal Revenue Service (IRS) issues a warning about an ongoing ransomware distribution wave. Cybercriminals posing as IRS and FBI representatives are reportedly conducting a large-scale phishing fraud to lure users into opening Trojanized email attachments.

AUGUST 29, 2017

Scottish hospitals fall prey to ransomware

Data-encrypting malware called Bit Paymer infects the computer networks of several healthcare institutions in Scotland. The attackers demand a whopping 53 Bitcoin (about $248,000) to recover skewed data. The strain in question is known for targeting large companies. It is distributed via Remote Desktop Services protected by weak authentication credentials.

Akira ransomware has limited impact, so far

This sample was spotted while still in development. It concatenates the .akira extension to hostage files and only affects data inside the Videos directory.

Saher Blue Eagle ransomware updated

A modified build of the Saher Blue Eagle ransomware surfaces after many months of hiatus in this family. Luckily, this one is buggy and fails to encrypt data.

Ransomware attack demo by an expert

MalwareHunterTeam’s Michael Gillespie participates in a new episode of the Hackable podcast run by McAfee. The researcher demonstrates a ransomware incursion workflow by infecting the host’s computer.

AUGUST 30, 2017

KeyMaker ransomware detected

This one is a commonplace Hidden Tear derivative. It uses the .CryptedOpps extension to label ransomed files and drops a decryption how-to named READ_IT.txt.

Haze ransomware is a pathetic imitation of Petya

A new strain called Haze displays a warning screen that resembles the one shown by the infamous Petya ransomware. In fact, it is nothing but a lousy copycat with no crypto functionality under the hood.

OhNo! ransomware is unique in a way

Aside from the creative name, this specimen also differs from the vast majority because it accepts ransoms in Monero cryptocurrency rather than Bitcoin. The perpetrating program demands 2 XMR, which is currently worth about $260.

AUGUST 31, 2017

Princess ransomware campaign dissected

Malwarebytes researchers provide an in-depth analysis of new techniques used to push the Princess ransomware, also referred to as PrincessLocker. According to the report, the latest variant of this sample is making the rounds via a network of compromised websites and the notorious RIG exploit kit. This clever contamination vector takes advantage of Internet Explorer or Flash Player vulnerabilities to execute the ransomware binary on computers.

SUMMARY

It’s quite disconcerting that the free decryption tool for LambdaLocker was the only new one released by security analysts in August. This fact might suggest that ransomware devs are getting better at implementing cryptography securely. Hopefully, this is nothing but a speculation. Time will tell. For now, bear in mind that you’re sailing close to the wind unless you keep the most important data backed up.

About the Author:David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.